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WE CLAIM: 

1. A pseudorandom number generating apparatus 
wherein said pseudorandom number generating apparatus 
comprises : 

a state storage section; 
a buffer; 

a state transformation section for conducting 
transformation using a storage content of said buffer 
and a storage content of said state storage section and 
outputting a result of the transformation; 

a state storage control section for updating 
an internal state of said state storage section by 
using the output of said state transformation section 
according to a clock; and 

a buffer control section for updating an 
internal state of said buffer by using the output of 
said buffer transformation section, 

said state storage section has a capacity of 
3 blocks (where one block has n bits) , and said buffer 
has a capacity of a plurality of blocks, and 

said state transformation section comprises: 

a nonlinear transformation section that uses 
the storage content of said buffer and the storage 
content of said state storage section as inputs; and 

an output section for outputting one block 
data included in said result of the transformation as a 
partial random number sequence. 

2 . A pseudorandom number generating apparatus 



- 35 - 

according to claim 1, wherein 

said state transformation section comprises a 
first operation section and a second operation section, 

said first operation section comprises: an 
input section for accepting 1st and 2nd blocks included 
in three blocks stored in said state storage section, 
and a block stored in the buffer, as inputs thereof; a 
first nonlinear transformation section for conducting 
nonlinear transformation on said 1st block and said 
block stored in the buffer and outputting n-bit data; a 
third operation section for receiving an output of said 
first nonlinear transformation section and said 2nd 
block as inputs thereof and conducting a logical opera- 
tion on the inputs; and an output section for output- 
ting said 1st block and a result of the operation 
conducted by said third operation section, and 

said second operation section comprises: an 
input section for accepting either output of said first 
operation section, a 3rd block stored in said state 
storage section, and said block stored in the buffer, 
as inputs thereof; a second nonlinear transformation 
section for conducting nonlinear transformation on 
either output of said first operation section and said 
block stored in the buffer and outputting n-bit data; a 
fourth operation section for receiving an output of 
said second nonlinear transformation section and said 
3rd block as inputs thereof and conducting a logical 
operation on the inputs; and an output section for 



outputting either output of said first operation 
section and a result of the operation conducted by said 
fourth operation section. 

3. A pseudorandom number generating apparatus 
according to claim 2, wherein 

said state transformation section further 
comprises a permutation section, and 

said permutation section conducts permutation 
so that operation results of said third and fourth 
operation sections will be stored in said state storage 
section as blocks different from blocks respectively 
input to said third and fourth operation sections. 

4 . A pseudorandom number generating apparatus 
according to claim 1, wherein 

said state transformation section conducts 
the following processing: 

X L <~ a H'* 

x H <r- a M XOR F(a H/ bj 

x M <- a L XOR G(x H , b.) 
(where a high-order block of the storage content of the 
state storage section is denoted by a H , an intermediate- 
order block of the storage content of the state storage 
section by a M , a low-order block of the storage content 
of the state storage section by a L , an ith block of said 
buffer storage section by b lf said nonlinear transforma- 
tion section by F(a, b) and G(a, b) , substitution of 
data by a high-order block of a transformation 

result by x H , and an intermediate-order block of the 
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transformation result by x M , a low-order block of the 
the transformation result by x L , and it is assumed that 
i * j) - 

5. A pseudorandom number generating apparatus 
according to claim 1, wherein 

said state transformation section conducts 
the following processing: 
x L <- a M ; 

x M <- a H XOR F(a M , bj 

x H <- a L XOR G(a M , b 3 ) 
(where a high-order block of the storage content of the 
state storage section is denoted by a H , an intermediate- 
order block of the storage content of the state storage 
section by a M , a low-order block of the storage content 
of the state storage section by a L , a jth block of said 
buffer storage section by bj , said nonlinear trans- 
formation section by F(a, b) and G(a, b) , substitution 
of data by a high-order block of a transformation 

result by x H , and an intermediate-order block of the 
transformation result by x M , a low-order block of the 
transformation result by x L , and it is assumed that i * 
j) - 

6. A pseudorandom number generating apparatus 
according to claim 1, wherein 

one block is formed of 64 bits, and 
said nonlinear transformation section further 
comprises S-boxes for dividing an input block by taking 
8 bits as the unit and conducting nonlinear trans- 
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formation, and comprises a processing section for 
conducting the following processing: 
p 4- a XOR b, 

ti <- S [pi] (1 ^ i ^ 8) ; 

uH <- tj |t 2 | |t 3 | |t 4 ; 

uL <- t 5 | |t 6 | |t 7 1 |t 8 ; 

uX <- uX XOR SHR8(uX) / X={L, H} ; 

uX <- uX XOR SHL16(uX), X={L, H} ; 

uL <- uH AND OxfOfOfOfO; 

uH <- uL AND OxOfOfOfOf; 

out <- uH || uL; 
(where an input from the state storage section is 
denoted by "a", an input from the buffer by "b", 
substitution of data by <-, S-box outputs by t lf t z , t 3 , 
t 4 , t 5/ t 6 , t 7 and t 8 in the descending order, or S [x] , 
and an x-bit right shift and an x-bit left shift in a 
64-bit width respectively by SHR X and SHL X , and it is 
assumed that p = p x I I p 2 1 I p 3 1 I p 4 1 I p 5 1 i p 6 1 I Pt I I Pe (1 = 1 = 
8) ) . 

7. A pseudorandom number generating apparatus 

according to claim 1, wherein 

said buffer has a capacity of 32 blocks, and 
said buffer transformation section comprises a process- 
ing section for conducting the steps of: 

outputting blocks included in 32 blocks 
output by said buffer except a 25th high-order block 
and a 32nd high-order block, as blocks lowered in order 
by one; 



conducting an exclusive OR-ing operation on 
the 32nd block with its high-order bits and its low- 
order bits interchanged and the 25th block, and output- 
ting a result of the operation as a 24th block; and 

conducting an exclusive OR-ing operation on 
the 32nd block and one block output from the state 
storage section, and outputting a result of the 
operation as a 1st block. 

8. A decryption apparatus comprising: 

a pseudorandom number generating apparatus 
for generating a pseudorandom number sequence having a 
length equal to that of plaintext data to be encrypted; 
and 

an operation section for conducting an exclu- 
sive OR-ing operation on the generated pseudorandom 
number sequence and the plaintext data, thereby calcu- 
lating ciphertext data and outputting the ciphertext 
data, and 

said pseudorandom number generating apparatus 

comprises : 

a state storage section; 
a buffer; 

a state transformation section for conducting 
transformation using a storage content of said buffer 
and a storage content of said state storage section and 
outputting a result of the transformation; 

a state storage control section for updating 
an internal state of said state storage section by 
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using the output of said state transformation section 
according to a clock; and 

a buffer control section for updating an 
internal state of said buffer by using the output of 
said buffer transformation section, 

said state storage section has a capacity of 
3 blocks (where one block has n bits) , and said buffer 
has a capacity of a plurality of blocks, and 

said state transformation section comprises: 

a nonlinear transformation section that uses 
the storage content of said buffer and the storage 
content of said state storage section as inputs; and 

an output section for outputting one block 
data included in said result of the transformation as a 
partial random number sequence. 
9. A decryption apparatus comprising: 

a pseudorandom number generating apparatus 
for generating a pseudorandom number sequence having a 
length equal to that of ciphertext data, by using 
information for determining a random number sequence 
used when generating the ciphertext data to be 
decrypted; and 

an operation section for conducting exclusive 
OR-ing operation on the generated pseudorandom number 
sequence and the ciphertext data, and thereby calculat- 
ing plaintext data, and outputting the plaintext data, 
and 

said pseudorandom number generating apparatus 



comprises : 

a state storage section; 
a buffer; 

a state transformation section for conducting 
transformation using a storage content of said buffer 
and a storage content of said state storage section and 
outputting a result of the transformation; 

a state storage control section for updating 
an internal state of said state storage section by 
using the output of said state transformation section 
according to a clock; and 

a buffer control section for updating an 
internal state of said buffer by using the output of 
said buffer transformation section, 

said state storage section has a capacity of 
3 blocks (where one block has n bits), and said buffer 
has a capacity of a plurality of blocks, and 

said state transformation section comprises: 

a nonlinear transformation section that uses 
the storage content of said buffer and the storage 
content of said state storage section as inputs; and 

an output section for outputting one block 
data included in said result of the transformation as a 
partial random number sequence. 

10. A pseudorandom number generating program that 

implements, in a computer including a storage device 
and a processor: 

a state storage section; 
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a buffer; 

a state transformation section for conducting 
transformation using a storage content of said buffer 
and a storage content of said state storage section and 
outputting a result of the transformation; 

a state storage control section for updating 
an internal state of said state storage section by 
using the output of said state transformation section 
according to a clock; and 

a buffer control section for updating an 
internal state of said buffer by using the output of 
said buffer transformation section, 

wherein 

said state storage section has a capacity of 
3 blocks (where one block has n bits) , and said buffer 
has a capacity of a plurality of blocks, and 

said state transformation section comprises: 

a nonlinear transformation section that uses 
the storage content of said buffer and the storage 
content of said state storage section as inputs; and 

an output section for outputting one block 
data included in said result of the transformation as a 
partial random number sequence. 

11. A pseudorandom number generating apparatus 

according to claim 1, wherein 

said state transformation section conducts 
the following processing: 

X H <— Am 
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X M <r- A L XOR F(A M , Bj ) 
X L <- A H XOR G(A„, B,) 
(where a high-order block of the storage content of the 
state storage section is denoted by Ah, an intermediate- 
order block of the storage content of the state storage 
section by Am, a low-order block of the storage content 
of the state storage section by A L , an Ith block of said 
buffer storage section by B x , said nonlinear transforma- 
tion section by F (A, B) and G (A, B) , data inputting by 
<-, a high-order block of a transformation result by X H , 
and an intermediate-order block of the transformation 
result by X M , a low-order block of the transformation 
result by X, and it is assumed that I * J) . 
12. A pseudorandom number generating apparatus 

according to claim 1, wherein 

one block is formed of 64 bits, and 
said nonlinear transformation section further 
comprises S-boxes for dividing an input block by taking 
8 bits as the unit and conducting nonlinear transforma- 
tion, an MDS matrix for conducting linear transforma- 
tion on outputs of the S-boxes by taking 32 bits as 
unit, and a processing section for conducting the 
following processing: 

P <— A XOR B; 

T x <- S [PJ (1^1 £ 8) ; 

U H 4r- MDS-l (T lf T 2 , T 3 , T 4 ) ; 

U L <- MDS, (T 5 , T 6 , T„ T 8 ) ; 

U H = X 1 | | X 2 | | X 3 | | X 4 
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U L = X 5 || X 6 || X 7 || X E 

OUT <— X 5 I I X 6 || X 3 || X 4 | | X, | | X 2 I I X 7 I I X s ; 
(where an input from the state storage section is 
denoted by "A", an input from the buffer storage 
section by "B", substitution of data by <-, S-box 
outputs by T lf T 2 , T 3 , T 4 , T 5/ T 6 , T 7 and T 8 in the 
descending order, or S [X] , and a transformation section 
using the MDS matrix by MDS (T a , T b/ T c , T d ) , and it is 
assumed that P = P 1 1 | P 2 1 | P 3 1 | P 4 1 | P 5 1 | P 6 1 | P 7 1 j p 8 (1 S I ^ 
8) ) . 

13. A pseudorandom number generating apparatus 

according to claim 1, wherein 

said buffer has a capacity of 18 blocks, and 
said buffer transformation section comprises a process- 
ing section for conducting the steps of: 

outputting blocks included in 18 blocks 
output by said buffer except a 2nd high-order block, a 
12th high-order block, and an 18th high-order block, as 
blocks lowered in order by one; 

conducting an exclusive OR-ing operation on 
the 2nd block and a 7th block, and outputting a result 
of the operation as a 3rd block; 

conducting an exclusive OR-ing operation on a 
15th block with its high-order half block and its low- 
order half block interchanged and the 12th block, and 
outputting a result of the operation as a 13th block; 
and 

conducting an exclusive OR-ing operation on 
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the 18th block and one block output from the state 
storage section and outputting a result of the 
operation as a 1st block. 

14. A pseudorandom number generating apparatus 
according to claim 1, wherein said pseudorandom number 
generating apparatus comprises: 

a key transformation section for expanding 
key information to data having a size equivalent to the 
capacity of said buffer section, and inputting 
resultant data to said buffer section. 

15. A pseudorandom number generating apparatus 
according to claim 1, wherein 

said state storage section uses public 
parameters . 

16. A pseudorandom number generating apparatus 
according to claim 1, wherein 

one block is formed of 64 bits, and 
said nonlinear transformation section further 
comprises S-boxes for dividing an input block by taking 
8 bits as the unit and conducting nonlinear transforma- 
tion, an MDS matrix for conducting linear transforma- 
tion on outputs of the S-boxes by taking 32 bits as 
unit, and a processing section having a 64-bit constant 
for conducting the following processing: 

P <- A XOR B; 

T z <- S [PJ (1 ^ I ^ 8) ; 

U H <r~ MDS! (T lf T 2 , T 3 , T 4 ) ; 

U L <- MDS 2 (T 5/ T s/ T 7 , T 8 ) ; 



- 46 - 

U H = X, || X 2 || X 3 || X 4 ; 
U L = X 5 | | X 6 | | X 7 | | X B ; 

Z <- X 5 | | X 6 | | X 3 | | X 4 | | X, | | X 2 | | X 7 | | X B ; 

OUT <- Z XOR C; 
(where an input from the state storage section is 
denoted by "A", an input from the buffer storage 
section by "B", substitution of data by <r- r S-box out- 
puts by T 2 , T 3/ T 4 , T s , T 6/ T 7 and T g in the descending 
order, or S [X] , and a transformation section using the 
MDS matrix by MDS (T a , T b , T c , T d ) , the constant by C, and 
it is assumed that P = P 1 1 | P 2 1 | P 3 1 | P 4 1 | P 5 i I P 6 1 I P 7 1 I P 8 (1 ^ 
I S 8) ) . 

17. A pseudorandom number generating apparatus 
according to claim 16, wherein 

when said constant C is divided into 8-bit 
blocks, at least one block has a value different from 
values of other blocks. 

18. A pseudorandom number generating apparatus 
according to claim 1, wherein 

said buffer has a capacity of 16 blocks, and 
said buffer transformation section comprises a process- 
ing section for conducting the steps of: 

outputting blocks included in 16 blocks 
output by said buffer except a 4th high-order block, a 
10th high-order block, and a 16th high-order block, as 
blocks lowered in order by one; 

conducting an exclusive OR-ing operation on 
the 4th block and an 8th block, and outputting a result 
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of the operation as a 5th block; 

conducting an exclusive OR-ing operation on a 
14th block with its high-order half block and its low- 
order half block interchanged and the 10th block, and 
outputting a result of the operation as an 11th block; 
and 

conducting an exclusive OR-ing operation on 
the 16th block and one block output from the state 
storage section and outputting a result of the opera- 
tion as a 1st block. 

19. A pseudorandom number generating apparatus 

according to claim 1, wherein 

said pseudorandom number generating apparatus 
comprises a key transformation section supplied with 
key information and a diversification parameter, and a 
control section for controlling said key transformation 
section, and 

said key transformation control section 
controls said key transformation section so 
as to expand said key information to data having a size 
equal to a capacity of said buffer section, input 
resultant data to said buffer section, expand said key 
information to data having a size equal to a capacity 
of said state section, and input resultant data to said 
state section, and controls said state transformation 
section and said key transformation section so as to 
further update data of said state section, by using 
said key information expanded and input to said state 
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section, and said diversification parameter. 



